Ransomware and the Vanishing Security of Anonymity

There used to be a common belief, among cybersecurity professionals and business users alike, that you had to have something of value on your network for hackers to come after you. This is true to some extent, although many people think of value as money and only worry about financial data. Some also recognize the value of intellectual property, and there’s increasing awareness of the black-market value of personally identifiable information.

Ransomware has changed that concept of value. In a ransomware attack, malware encrypts all of the data on a system as well as any other systems and storage devices that are accessible via the network. The attacker then demands a ransom in exchange for the encryption key. The attackers aren’t looking for data that might have some value to themselves or a third party. They are depending upon the intrinsic value of the data to the victim.

So, as a first step, we need to rid ourselves of the assumption that we’ll find safety in anonymity. Anonymity only works as a defensive technique when someone is putting time and effort into a targeted attack.

Many of the attack vectors that have become ubiquitous require little knowledge of the organization being attacked. Rather, threat actors cast a wide net, entrapping anyone unlucky enough to click on a malicious link or download an unknown executable. The attackers operate under the assumption that there is something of value to the organization on the system or network the victim is using.

Cybercriminals are capable of sending ransomware attacks to millions of computers, increasing the odds that they’ll find a victim. Increasingly, malicious actors are also targeting large organizations with ransomware attacks that not only encrypt data but cripple business systems. Maersk, a global shipping firm, fell victim to such an attack, which resulted in revenue losses estimated at $200 million to $300 million.

According to data from Symantec, the average ransom demand has more than tripled since 2015, from $294 to $1,077. However, the financial impact on victim organizations is far higher. Organizations face the cost of downtime, responding to the incident, data loss, and potential regulatory fines and penalties. If the victim organization is a hospital, the cost could include loss of life.

Law enforcement officials say you should not pay the ransom because it only emboldens the perpetrators and funds their criminal enterprise. Furthermore, paying the ransom is no guarantee that the hackers will provide the decryption key.

Many organizations do pay, however. In a recent IBM X-Force survey, nearly half of business executives said their organizations had experienced ransomware attacks. Seventy percent of those executives said they had paid the ransom, with half paying more than $10,000 and 20 percent paying more than $40,000. Nearly 60 percent indicated they’d be willing to pay a ransom to recover data, with 25 percent saying they’d pay upwards of $50,000 depending on the data type.

Cybercriminals know that, so ransomware attacks continue to escalate. Security through anonymity is no longer realistic. Organizations must undertake the difficult task of patching their systems, maintaining frequent, offline backups and educating users to be cautious when downloading attachments and clicking links. The consequences of leaving your network vulnerable, like a house without windows or a front door, can be catastrophic.

SageNet offers a full suite of cybersecurity services, including risk assessments, that address ransomware and other threats. We can help you implement security and tools and processes that reduce the risk that an attack will be successful.